On Fri, Aug 16, 2013 at 1:03 AM, Per-Erik Persson <[email protected]> wrote: > When OSSEC detects some abusive emailaddresses the agent is supposed to add > this emailaddress to a userlist. > This works mostly, if I restart everything it works for a short while. > > I see the events triggering the alert and active-response in > /var/ossec/logs/alerts/alerts.log on the server. > However the /var/ossec/logs/active-responses.log on the client usually > doesn't show any activities for that specific rule. > But if I fire it manually via /var/ossec/bin/agent_control it always work as > expected.(besides the fact that the emailaddress is passed as an ipaddress) > The username argument is used to pass on the emailaddress, could this be the > problem? > I see warnings about really ugly emailaddresses in /var/ossec/logs/ossec.log > but these ones is not the problem. > > How do I debug this ? Can I see when the client actually forks the process > for the active response? >
What is your AR configuration? What log messages are you expecting AR from that are not working? > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
